Keeping Your Images from Adorning Other Sites Page 2

One of these header fields is of particular importance to what we want to
do. It's called the Referer field (yes, I know, it's
misspelt--but that's how it's misspelt in the definition, too), and
it indicates the URL of the client's last page if and only if
the client is following a link. That is, if you're viewing
page A, and click on a link to page B, the request for page B will
include a Referer field that says "I'm following a link
on page A." If no link is being followed, such as if the user
just typed B's URL into the Location field of his browser,
there will be no Referer field in the request header.

How does this help? Well, it gives us a way to tell whether an
image is being requested because it was linked to by one of our
pages -- or by someone else's.

For a simple case, suppose our Web site's main page is
<http://my.apache.org/>. In this case, we want
to restrict any artwork requests that don't originate on our site
(i.e., only allow them if the image was linked to by one
of our pages). We can do this by using an environment variable
(also called an envariable) as a flag, and setting it if the
conditions are right. Something like the following ought to do it:

SetEnvIfNoCase Referer "^http://my.apache.org/" local_ref=1

When Apache processes a request, it will examine the Referer
field in the header, and set the environment variable local_ref
to "1" if the value starts with our site address--i.e., is one of
our pages.

The string inside the quotation marks is a regular expression pattern
that the value must match in order for the environment variable to be
set. Describing how to use regular expressions (REs) is far beyond the
scope of this article; for now, just be aware that the SetEnvIf*
directives use them.

The "NoCase" portion of the directive name means, "do this
whether the Referer is 'http://my.apache.org/', or
'http://My.Apache.Org/', or 'http://MY.APACHE.ORG/' -- in other words,
ignore the upper/lower caseness of the value.

The Order, Allow, and Deny
directives allow us to control access to documents based upon the
setting (or unset-ness) of an envariable. The first thing to do
is to indicate the order in which Apache will process Allow
and Deny directives; you do with the Order
directive as follows:

Order Allow,Deny

This means that Apache will go through any list of Allow
directives it has that apply to the current request, and then repeat
the process with any Deny directives. With this ordering,
the default condition is 'denied;' that is, no-one will be able to access
anything unless there's an applicable Allow directive.

All right, so let's add the directive that will let local references
work: